DE
FR
IT
EN
About us
Blog
Jobs 3
Meet
Support
WEB HOSTING
SERVER
DOMAINS
E-MAIL & OFFICE
WEBSITE
WEBSHOP
SEO
ABOUT US
BLOG
Jobs3
Support
Login
The new FADP and the cookie banner confusion: what are the latest rules?

The new FADP and the cookie banner confusion: what are the latest rules?

Cookie banners: an everyday phenomenon that divides opinion and raises tempers. One thing’s for sure, however: cookie banners are ubiquitous. Attorney Lucian Hunger and junior associate Alisa Winter from the VISCHER law firm have written this guest post for the Hostpoint blog focusing on cookie banners in the context of the new Swiss Federal Act on Data Protection.

Expertise
Lucian Hunger Lucian Hunger · Attorney at Law, VISCHER

Nowadays, a banner pops up immediately on almost every website asking us to accept or refuse cookies, or simply to inform us that cookies are being used before we can browse the website.

In the case of Switzerland, this question can be answered by taking a look at the Telecommunications Act (TCA). This states, in Art. 45c TCA, that “processing of data on external equipment by means of transmission using telecommunications techniques is permitted only […] if users are informed about the processing and its purpose and are informed that they may refuse to allow processing.”

Accordingly, in principle, the use of cookies and other technologies in Switzerland does not require consent, as long as the user does not assert their right of refusal or the relevant website uses methods that do not involve personal data. According to Swiss law, it’s sufficient to provide information on processing and the right of refusal. Asking for consent via a cookie banner is not required.

According to Swiss law, cookie banners are not required for Swiss websites.

However, it is also conceivable that information about the processing and its purpose or the right of refusal does not even have to be provided. After all, the obligation set out in the Telecommunications Act only exists in those circumstances in which the following prerequisites are met:

At this juncture, it’s also worth noting the following point: Art. 45c TCA is technology neutral. This means its provisions must be complied with not only when cookies are in use, but are applicable irrespective of whether cookies or other comparable technologies are used. What matters is whether the above conditions are fulfilled or not.

What changes with the new Swiss Federal Act on Data Protection?

In short: with regard to cookie banners, nothing. They are also not required under the new Swiss legislation.

The revised Federal Act on Data Protection (FADP) entering into force on September 1, 2023 sets out a new provision in Art. 7(3) whereby the controller (website operator) must also ensure through pre-defined settings that the processing of the personal data is limited to the minimum required by the purpose, unless the data subject directs otherwise. In some places, this stipulation is interpreted as an obligation to use cookie banners. However, in the view of VISCHER's legal experts, this is not correct: the controller can provide the user with several cookie and data-protection options. If they offer such options to choose from and the cookies contain personal data, then – and only then – must the pre-defined setting provide for the least extensive setting on the basis of the new provision. However, if the website does not offer the option to choose, then logically no pre-defined settings are needed.

The new law therefore changes nothing in this area: from September 2023, there is no obligation for websites aimed at users in Switzerland to have cookie banners. Incidentally, there is also no obligation that a box on a consent banner may not already be pre-checked.

When processing personal data (e.g. using cookies or other technologies), the provisions of the Federal Act on Data Protection, as well as the Telecommunications Act, must be observed. Assessing the lawfulness of data processing and the necessity of consent may also be required in the event that data is disclosed to third parties or abroad, or in the event of particularly extensive tracking.


In a previous Hostpoint blog post, the VISCHER law firm described what to look out for in the new Federal Act on Data Protection. Read the post “The new Data Protection Act will take effect in 2023. What you need to know

What do I need to do now as a website operator?

As we’ve mentioned, a cookie banner is generally not required – neither to obtain consent or inform users about the use of cookies.

If cookies or other technologies are used, processing and the purposes of processing must be referred to in the privacy policy available on the website. In addition, the privacy policy must indicate that users can refuse processing by changing their own browser settings.

A more user-friendly method of refusal can also be integrated into the site if no settings options are provided. Otherwise, these would have to provide the least extensive setting when visiting the website.

Find out more:
In a previous post on the Hostpoint blog, the law firm VISCHER put together some important and helpful tips for drafting a privacy policy for your own website. Read the post “How to write a good privacy policy for your website”.

European law

However, caution is advised. Although cookie banners are not legally required for websites in Switzerland under Swiss law, there’s a (rather considerable) catch:

Swiss companies and website operators may be obliged under European law to use cookie banners and obtain consent. If a website is aimed at EU member states, the ePrivacy Directive or its national implementing legislation may apply. The ePrivacy Directive states that the storage of information or access to information that is already stored on a user’s device is only permitted after clear and informed consent, unless it involves data that is technically required to provide the desired service in the first place. According to EU law, unlike Swiss legislation, prior consent is required to obtain and process information. This consent can be obtained via a cookie banner, for instance.

Like the Swiss Telecommunications Act, the ePrivacy Directive is also technology-neutral and applies irrespective of whether cookies are stored or other technologies (such as what is known as “fingerprinting”) are used to access information on the device. It therefore depends on the precise design of the technology in each case, not on what the technology is called. If a “cookieless” method is used, you should not automatically draw the conclusion that consent is not required. According to the ePrivacy Directive, what matters is whether information is stored on the device or stored information is accessed. In the latter case, the widespread (but not undisputed) view is that it must still be decided whether only information is processed that the browser sends to the server anyway (known as “header information”) or whether further information is actively accessed. According to the ePrivacy Directive, consent is usually not required for processing information that is sent additionally by the browser.

If websites are used to sell products in the EEA, cookie banners are required in certain cases according to the ePrivacy Directive and GDPR.

Now it gets really interesting: if a Swiss company (using its website, for instance) offers goods or services in the European Economic Area (EEA) or tracks the behavior of individuals in the EEA, they may be required to consider the provisions of the European General Data Protection Regulation (GDPR) in addition to the ePrivacy Directive. The GPDR applies not only in the EU, but in the entire EEA (including Liechtenstein, for instance). It is only applicable if a personal reference can be established. In the view of many EEA data protection authorities, however, this already exists if individual users can be specified with the allocation of identification numbers. If technologies are used to track users over multiple visits and then create a profile for marketing purposes, many EEA data protection specialists believe that consent is required as a basis, even if the visitors cannot be identified.

A website operator is therefore well-advised always to check whether the ePrivacy Directive or GDPR are actually applicable in the first instance. If this is the case, consent is generally required by means of a cookie banner when using cookies. With a “cookieless” method, the exact design may require closer examination. To minimize potential risks, it may therefore make sense to obtain consent for the sake of simplicity. Work on the ePrivacy Regulation is currently underway in the EU. This may entail further new developments in future.

About the authors:
This post was written by two legal experts, Lucian Hunger (attorney) and Alisa Winter (junior associate) at the VISCHER law firm, and was contributed as a guest post to the Hostpoint blog.

Expertise
From zero to digital: What startups need for a digital launch

From zero to digital: What startups need for a digital launch

Expertise
Claudius Röllin Claudius Röllin · Co-Founder & CPO
Phishing in the age of artificial intelligence

Phishing in the age of artificial intelligence

Security
Martin Schlatter Martin Schlatter · Abuse Desk Specialist
Domain extension .swiss coming soon for private individuals

Domain extension .swiss coming soon for private individuals

Domains
Sebastian Rosa Sebastian Rosa · Social Media & Content Manager
How to migrate your website to Hostpoint

How to migrate your website to Hostpoint

Hosting & e-mail
Claudius Röllin Claudius Röllin · Co-Founder & CPO
Optimization made easy: must-have WordPress plugins

Optimization made easy: must-have WordPress plugins

Websites & shops
Rita Ludwig-Helmchen Rita Ludwig-Helmchen · Technical Consultant
Make your online shop a success with these tips and tricks

Make your online shop a success with these tips and tricks

Websites & shops
Sebastian Rosa Sebastian Rosa · Social Media & Content Manager
ICT careers without gender boundaries: the influence of National Future Career Day

ICT careers without gender boundaries: the influence of National Future Career Day

Inside
Sebastian Rosa Sebastian Rosa · Social Media & Content Manager
SEO for your website: what you need to know about search engine optimization

SEO for your website: what you need to know about search engine optimization

Expertise Websites & shops
Nadine Jordan Nadine Jordan · Social Media & Content Manager
Allow us to introduce you to the new e-mail services from Hostpoint

Allow us to introduce you to the new e-mail services from Hostpoint

Hosting & e-mail
Claudius Röllin Claudius Röllin · Co-Founder & CPO
The new Data Protection Act will take effect in 2023. What you need to know

The new Data Protection Act will take effect in 2023. What you need to know

Expertise
Lucian Hunger Lucian Hunger · Attorney at Law, VISCHER
Third-party cookies to be phased out on Chrome – what that means

Third-party cookies to be phased out on Chrome – what that means

Expertise
Claudius Röllin Claudius Röllin · Co-Founder & CPO
Looking for eye-catching icons for your website? Find them here

Looking for eye-catching icons for your website? Find them here

Expertise
Mauro Landolt Mauro Landolt · Head of Communication
How to write a good privacy policy for your website

How to write a good privacy policy for your website

Expertise
Sarah Bischof Sarah Bischof · Attorney at Law, VISCHER
Counted and compared: the Swiss internet in figures

Counted and compared: the Swiss internet in figures

Expertise
Mauro Landolt Mauro Landolt · Head of Communication
For an easy-to-read website, fonts are your friend

For an easy-to-read website, fonts are your friend

Expertise
Mauro Landolt Mauro Landolt · Head of Communication
How does a domain transfer work and what should be considered?

How does a domain transfer work and what should be considered?

Domains
Dario Baumgartner Dario Baumgartner · Head of Domains
“My journey from apprenticeship to system engineer at Hostpoint”

“My journey from apprenticeship to system engineer at Hostpoint”

Inside
Pascal Christen Pascal Christen · Junior System Engineer
WordPress 6.0 is coming soon! What users can look forward to

WordPress 6.0 is coming soon! What users can look forward to

Websites & shops
Rita Ludwig-Helmchen Rita Ludwig-Helmchen · Technical Consultant
Looking for images for your website? Here’s what you need to know

Looking for images for your website? Here’s what you need to know

Expertise
Mauro Landolt Mauro Landolt · Head of Communication
Focus on hacking (2): What hackers want to gain by attacking my website

Focus on hacking (2): What hackers want to gain by attacking my website

Security
Martin Schlatter Martin Schlatter · Abuse Desk Specialist
Focus on hacking (1): What to do if your website has been hacked?

Focus on hacking (1): What to do if your website has been hacked?

Security
Martin Schlatter Martin Schlatter · Abuse Desk Specialist
The importance of the Core Web Vitals in Google rankings

The importance of the Core Web Vitals in Google rankings

Expertise
Claudius Röllin Claudius Röllin · Co-Founder & CPO
“We are a well-coordinated and very collegial team.”

“We are a well-coordinated and very collegial team.”

Inside
Michèle Bücheler Michèle Bücheler · Head of Human Resources
Hostpoint Webshop: the main features at a glance

Hostpoint Webshop: the main features at a glance

Websites & shops
Boban Lapcevic Boban Lapcevic · Technical Consultant
“We recognized a need for weekend phone support.”

“We recognized a need for weekend phone support.”

Inside
Mauro Landolt Mauro Landolt · Head of Communication
What is WordPress? A short introduction

What is WordPress? A short introduction

Websites & shops
Claudius Röllin Claudius Röllin · Co-Founder & CPO
More than just .ch and .com: the huge variety of top-level domains

More than just .ch and .com: the huge variety of top-level domains

Domains
Dario Baumgartner Dario Baumgartner · Head of Domains
Phishing: the nuisance of e-mail scams

Phishing: the nuisance of e-mail scams

Security
Mauro Landolt Mauro Landolt · Head of Communication
Zurich now has its own top-level domain – .zuerich!

Zurich now has its own top-level domain – .zuerich!

Domains
Mauro Landolt Mauro Landolt · Head of Communication
Your own domain – precious, indispensable and worth protecting

Your own domain – precious, indispensable and worth protecting

Domains
Mauro Landolt Mauro Landolt · Head of Communication
Better performance thanks to DNS Anycast

Better performance thanks to DNS Anycast

Domains
Mauro Landolt Mauro Landolt · Head of Communication
Nginx. The web server for high demands

Nginx. The web server for high demands

Hosting & e-mail
Mauro Landolt Mauro Landolt · Head of Communication
Making the internet that little bit more secure with DNSSEC

Making the internet that little bit more secure with DNSSEC

Domains Security
Mauro Landolt Mauro Landolt · Head of Communication
Complete control with your Managed Flex Server from Hostpoint

Complete control with your Managed Flex Server from Hostpoint

Hosting & e-mail
Mauro Landolt Mauro Landolt · Head of Communication
New PHP release 7.4 for better security and performance

New PHP release 7.4 for better security and performance

Hosting & e-mail
Mauro Landolt Mauro Landolt · Head of Communication
Google only wants websites with https from now on. Are you ready?

Google only wants websites with https from now on. Are you ready?

Security
Claudius Röllin Claudius Röllin · Co-Founder & CPO
The new EU GDPR: what do website operators need to know?

The new EU GDPR: what do website operators need to know?

Expertise
Claudius Röllin Claudius Röllin · Co-Founder & CPO
Lightning-fast websites with HTTP/2

Lightning-fast websites with HTTP/2

Hosting & e-mail
Hostpoint Hostpoint
Our daily efforts in pursuit of innovation

Our daily efforts in pursuit of innovation

Inside
Hostpoint Hostpoint
Ransomware – the extortionists are coming!

Ransomware – the extortionists are coming!

Security
Hostpoint Hostpoint
Email: the long and windy road to the recipient

Email: the long and windy road to the recipient

Hosting & e-mail
Hostpoint Hostpoint
Tips for choosing the right domain name

Tips for choosing the right domain name

Domains
Hostpoint Hostpoint
SSL certificates: no chance for fraudulent websites

SSL certificates: no chance for fraudulent websites

Security
Hostpoint Hostpoint
How to make your website secure

How to make your website secure

Security
Hostpoint Hostpoint
Subpar security on Swiss websites

Subpar security on Swiss websites

Security
Hostpoint Hostpoint
.swiss is now available for (almost) everyone!

.swiss is now available for (almost) everyone!

Domains
Hostpoint Hostpoint
PHP 7 – The fastest PHP version of all time is here!

PHP 7 – The fastest PHP version of all time is here!

Hosting & e-mail
Hostpoint Hostpoint
FreeSSL: Now everyone can get SSL encryption for free!

FreeSSL: Now everyone can get SSL encryption for free!

Security
Hostpoint Hostpoint
Swiss online shops: new VAT legislation with the EU

Swiss online shops: new VAT legislation with the EU

Websites & shops
Hostpoint Hostpoint
Free hosting usually comes with strings attached.

Free hosting usually comes with strings attached.

Hosting & e-mail
Hostpoint Hostpoint
Migrating e-mail accounts: not always such an easy task

Migrating e-mail accounts: not always such an easy task

Hosting & e-mail
Hostpoint Hostpoint
Google loves backlinks

Google loves backlinks

Expertise
Hostpoint Hostpoint
Obligation to provide an impressum in Switzerland

Obligation to provide an impressum in Switzerland

Expertise
Martin Steiger Martin Steiger · Medienrechtsanwalt
Show more posts
Visualization of an email inbox in a laptop screen with Cloud Office icon. Visualization of an email inbox in a laptop screen with Cloud Office icon.

An e-mail address with your own domain

Discover the new e-mail packages with Cloud Office from Hostpoint. The domain of your choice for your email addresses, generous mailbox and Drive storage, various Office tools and much more.

Set up an e-mail address